Is it legal to send your data overseas?

David Braue

Pondering where to send your data? Time to read up on the laws that apply to your business.

Companies considering moving business information to overseas cloud-computing services must weigh up the potential impact of more than 450 separate Acts of Parliament, experts warn.

While countless Australian businesses are already hosting wesites and applications on cloud services overseas using services from Amazon, Google and Microsoft, Anthony Wong – an intellectual property lawyer who runs AGW Consulting and is current president of the Australian Computer Society – warns they must ensure cloud data doesn't violate strict Australian business laws mandating customer privacy, retention of corporate records, enduring access to information, and so on.

"Just because your data is in the cloud doesn't mean you're absolved from your responsibility [to control business data]", says Wong.

These and other regulations require businesses set standards for the management of business records and customer data, both of which have come into the spotlight as companies wrestle with the legal framework around moving core business functions and applications into the cloud.

"When a business decides to go into the cloud, they have to look at the sensitivity of their information and decide what level of security the cloud provider must have," Wong warns.

"Businesses should address it right from the start, establishing what the expectations are in terms of levels of service and expectations about ownership of the data. Courts are not likely to be understanding [of governance shortfalls] just because your data is in the cloud."

The onshore-versus-offshore debate has raged in cloud circles, with some parties promoting Australian data centres as a safer solution for preserving data sovereignty; others allege that foreign law-enforcement agreements – such as Australia's 25 long-entrenched Mutual Assistance in Criminal Matters treaties with foreign governments – mean Australian corporate data could be accessed by foreign governments even if housed on Australian soil.

This argument has also been made in relation to the US Patriot Act, which provides broad authority for law-enforcement agencies including seizure of data. That act was recently fingered by Microsoft in making a case for offshore hosting, but the broader mutual-assistance framework seems to suggest many of those Patriot Act powers are already available to authorities.

More immediately relevant is for companies to identify any potential customer data that might be stored in the cloud, and assess the legal environment in the country where the cloud servers are hosted.

Moving this data overseas isn't arbitrarily banned; Wong notes that provisions of the Privacy Act 1988 National Privacy Principles 9 (Transborder Data Flows) allow for movement of personal information offshore as long as the destination jurisdiction adheres to similar privacy principles; the individual involved has consented to the transfer, usually as part of service terms and conditions; and the transfer is necessary to benefit the individual.

Despite their determination to keep hold of their data, however, many companies are still being less than careful with their cloud diligence, says lawyer Erhan Karabardak, director of IT specialist firm Cooper Mills Lawyers.

"It's amazing how little due diligence people do with cloud services," he explains.

"People say 'our data is in the cloud' but if you ask them where, and in which country, and whether it's encrypted, they just don't know. Companies really just need to ask some of the basic questions."

Such questions become more complicated, Karabardak adds, when a particular cloud service distributes data between servers in different countries to boost the redundancy of data storage; for this reason, many cloud providers limit the movement of data outside of legally homogeneous zones such as the European Union.

Ultimately, while many companies prevaricate about data sovereignty issues, one legal expert suggests that growing momentum around cloud-computing adoption will clear away the fog of confusion around the issue – and create opportunities for Australian companies wanting to build cloud businesses on the back of Australia's relatively strict data governance policies.

"The culture of the web has been that people vote with their feet," says Professor Brian Fitzgerald, professor of intellectual property and innovation within the Law Faculty of Queensland University of Technology. "And there's no doubt people are going to the cloud."

"So if we want to have part of that market, it's very difficult to create an island where we say no data can be stored offshore. We've got to learn better to manage risk, and seek international solutions to those risks that cannot be solved by simple private agreement. Lawyers are working on the legal risks, but I'd be more excited to see Australia positioning itself as a centre for secure data storage."

10 comments so far

Forget all that jazz about the cloud and its future impact on data privacy.

I want to know how come my home phone number together with my name and address has ended in various marketing Indian call centres, now.

Shortly after Telstra, Optus, Westpac and other companies I use decided to move their support call centres to that country.

Coincidence? Not on your life, you believe that and I got a bridge to sell you.

Who authorized any of those companies to give away my personal data to a foreign company?

What, with "the cloud", somehow miraculously that - and much worse - won't happen?

Man, do I have a lot of bridges to sell, low klms too!

Commenter

Noons

Location

Sydney

Date and time

October 11, 2011, 3:16PM

What implications are there about the accessing of Australian data by foreign citizens, performed from an overseas country? Eg. the IT development and support by off-shore outsourcing companies.Which country has jurisdiction over data theft or malicious coding or fraud which stems from access of data or applications?

Commenter

AL

Date and time

October 11, 2011, 5:51PM

The article missed one other issue,taxation,in some circumstances an Australian buisness can be liable for tax on earnings from a data base on a server,say in the US and still have an obligation here. Too many issues to take a risk on cloud until it's sorted out.

Commenter

Sceptic

Date and time

October 11, 2011, 9:08PM

Ultimately it's whether the data can be accessed by other non company people in a user readable format . If it's secured and encrypted to a high level then it shouldn't be a problem . Providing , of course , backups are made .

Commenter

Kim

Location

Perth

Date and time

October 12, 2011, 12:54AM

Interesting! What I dont understand is why is this now a concern. almost all multinational companies stored data offshore years before cloud was even dreamt of!

Commenter

Robert

Date and time

October 12, 2011, 12:55AM

Great article and globally very topical. When thinking of faxing confidential data, many Australian companies should be cautious about using a fax service such as eFax or Easylink who tend to store data outside Australia. An alternative would be for an organization to maintain its own fax server using a product such as RightFax or take advantage of all the benefits of a fax server but utilize it in a hosted environment in Australia.

Commenter

Matthew Brine

Location

United States

Date and time

October 12, 2011, 6:46AM

Anyone thinking of using Telstra Cloud should try their TBox first !

Commenter

Ron Spiers

Date and time

October 12, 2011, 7:28AM

Anthony great article and very timely. This issue is at the heart of protection of both corporate and personal information. It is also a very important issue for ecommerce and online retail. Many online retailers are using off shore hosting and overseas cloud based services with the belief that it costs less. But at what real risk to their customers and to themselves.

Commenter

John Debrincat

Location

Gladesville, NSW, Australia

Date and time

October 12, 2011, 8:56AM

Regarding the indian call centre issue, the Telecommunications Act 1997 includes privacy provsions that ensure telecommunciations carriers or service providers remain responsible for the protection of pesonal information - even when their services are provided by offshore subcontractual arrangements (Indian call centres). Essentially, Indian call centre operators are legally deemed employess of the Australian telco and subject to Australian law.

Commenter

Holster

Date and time

October 12, 2011, 10:48AM

There is no way I am going in any Cloud until they sort out this issue. Democratic countries only please, and preferably our own.

Subscribe to IT Pro

Follow Us

Editor's Choice

Prime Minister Tony Abbott has bolstered Malcolm Turnbull's ministerial duties, handing him greater responsibility for e-government in a push to expand the use of a single digital identity for Australians.

Data

The new roof that spans Margaret Court arena does more than keep out the weather. Built into the gantries that surround the sliding ceiling are Wi-Fi antennas that beam web access to every ticket holder.